Method and system for incorporating filtered roles in a directory system

ABSTRACT

Role is a comprehensive grouping mechanism. In a client-server directory system, roles transfer some of the complexity to the directory server. A role is defined by its role definition entry. Assigning entries to roles enables applications to locate the roles of an entry, rather than select a group and browse the members list. Additionally, roles allow for support of computed attribute values, and server-performed membership verification for clients.  
     Several types of roles are disclosed herein. The difference between the role types relates to their capabilities, which in turn derive from how they are implemented. When a client application wishes to identify all entries with some characteristic, e.g., everyone who is a manager and works in a designated building, a filtered role—which uses an LDAP filter in order to search a designated portion of the directory system and to identify those entries that possess the characteristics described in filter—is used.

TECHNICAL FIELD

[0001] The disclosed system and method relate generally to providingdirectory services in a centralized or distributed computingenvironment, and more particularly, to a directory service that usesmethods of grouping entries.

BACKGROUND

[0002] Electronic directories or directory servers are becomingimportant tools to manage network resources. The term Directory Servicerefers to a collection of software, hardware, and processes that storeinformation about an enterprise or an organization and make theinformation available to users. A directory service generally includesat least one instance of Directory Server and one or more directoryclient programs. Client programs can access names, phone numbers,addresses, and other data stored in the directory. For example, onecommon directory service is a Domain Name System (DNS) server. A DNSserver maps computer host names to Internet Protocol (IP) addresses.Thus, all of the computing resources (hosts) become clients of the DNSserver. The mapping of host names allows users of an organization'scomputing resources to easily locate computers on an organization'snetwork by remembering host names rather than numerical IP addresses. Itshould be noted, however, that while the DNS server stores only twotypes of information, namely, names and IP addresses, a true directoryservice stores virtually unlimited types of information.

[0003] A directory server forms a central information repository thatprovides data warehousing functionality to access users and groupings towhich users belong. By thus becoming a central point where network,security and application services are able to obtain information, thedirectory has emerged as a key component of an integrated distributedcomputing environment. Additionally, the centralization of informationhas enabled ease of administering the information. Several uses ofdirectories are known: (1) as naming service e.g., Directory NamingService for Internet host addresses; (2) as user registry for storinginformation of all users in a system of interconnected computers; and(3) a Yellow Pages service, which allows E-mail clients to performlook-up to find destination addresses.

[0004] A directory service uses a namespace, which provides forefficient referencing and retrieval of collections of relatedinformation, such as a person's name, organization, physical address,and e-mail address. Corporate directories have been evolving independentof any standardized protocol to access them. On corporate Local AreaNetworks (LANs), each e-mail system has its own directory, which is notinteroperable with those of other vendors. On larger systems usingTCP/IP, there is no single directory standard—certainly not one that isroutinely used on the scale of intranets.

[0005] Standardized Directory Access Protocols (DAP) such as theX.500—which is the International Telecommunication Union (ITU-T)standard for directories—are designed to provide a uniform method ofaccessing the directory servers from any application program executingon any computer system. These protocols are designed to overcome theproblems of incompatible host systems and access procedures. Referringto FIG. 1, applications and users access a directory service by making arequest to a Directory User Agent (DUA), which transfers the request toa Directory System Agent (DSA), using the DAP. The directory itself caninclude one or more DSAs. The DSAs can either communicate amongthemselves to share directory information, or can direct the DUA to usea specific DSA. This latter mechanism is called a referral. Referralscan happen when DSAs are not set up to exchange directory information,such as in cases where administrators did not agree on how to interworkwith these components, or due to security concerns.

[0006] As shown in FIG. 2, in X.500, there are 17 base object classessuch as Country, Organization, Organizational Unit, Locality, andPerson. These object classes can have one or more of the 40 attributetypes such as Country, Organization Name, Organizational Unit Name,Locality Name, and Common Name. FIG. 3 shows a hierarchically arrangedinstance of X.500 data tree.

[0007] X.500 forms the application layer of the well-known 7-layer OpenSystems Interconnection (OSI) protocol stack, and requires a largeamount of memory and operational overhead. Moreover, X.500 addressinghas become quite complex. In X.500, the namespace is explicitly statedand is hierarchical. Such namespaces require relatively complicatedmanagement schemes. The naming model defined in X.500 is concernedmainly with the structure of the entries in the namespace, not the waythe information is presented to the user.

[0008] The complete set of all information held in a Directory is knownas the Directory Information Base (DIB). It should be noted that not allof this information is visible to normal users of the Directory.Referring to FIG. 4, in a Directory User Information Model, an entryholds information about an object of interest to users of the Directory.These (Directory) objects might typically be associated with, or be somefacet of, real world things such as information processing systems ortelecommunications equipment or people. So there can be a Directoryentry for an X.400 Message Transfer Agent (MTA), and another one for themanager. However, it is very important to note that Directory objects donot necessarily have a one-to-one correspondence to real world things.This has typically caused a lot of confusion to non-experts, many ofwhom assume that every entry in the Directory contains all the relevantinformation about one real world thing. This is not necessarily so.Directory objects, and hence entries, can have a one-to-onecorrespondence with real world things, or can have a many-to-one orone-to-many relationship with real world things. For example, aDirectory object/entry may be a mailing list containing the names ofmany real people (one-to-many correspondence). Alternatively, a realperson may be represented in the Directory as both a residential personobject/entry and an organisational person object/entry (many-to-onecorrespondence). In the latter case, the organisational person Directoryentry would hold information that is relevant to describing the personin their working environment, holding their office room number, internaltelephone extension number, electronic mail address, and the departmentetc., the residential person Directory entry would describe the personin their residential capacity, holding their home postal address andhome telephone number etc. Objects that have similar characteristics areidentified by their object class. Every object entry in the Directory isa member of at least one object class. So, for example, there is an‘organizational person’ object class for organizational person entries,and a ‘residential person’ object class for residential person entries.This organizational person object will be explained in detail below.

[0009] Also shown in FIG. 4 are entries. Every entry in an X.500Directory Information Tree (DIT) is a collection of attributes, eachattribute composed of a type element and one or more value elements.Because it was designed to accommodate all types of directories, in caseof the X.500, the DAP has become too general to be easily configured towork with specialized applications. These reasons have resulted in alimited user acceptance of X.500. Each piece of information thatdescribes some aspect of an entry is called an attribute. An attributecomprises an attribute type and one or more attribute values. An exampleof an attribute type might be ‘telephone number’ and an example of atelephone number attribute value might be ‘+91 861 324 251’.

[0010] The Lightweight Directory Access Protocol (LDAP) has emerged asan open standard from the Internet Engineering Task Force (IETF) toprovide directory services to applications ranging from e-mail systemsto distributed system management tools. LDAP was created as a protocolfor accessing X.500 directories so that clients could run on desktopcomputers without affecting performance. LDAP is based on aclient-server model in which a client makes a TCP/IP connection to aDirectory server, sends requests, and receives responses. The LDAPinformation model, in particular, is based on the concept of a “targetentry”, which contains information about some object. In thisapplication, an unqualified reference to an “entry” means that areference is made to a “target entry.”

[0011] Entries are typically organized in a specified tree structure,and each entry is composed of attributes. In an LDAP-compliant directoryserver, each user and group in an organization or an enterprise isrepresented by a Distinguished Name (DN) attribute. As defined inRequest for Comment (RFC) 1779, DN attribute is a text string thatcontains unambiguous identifying information for an associated user,group, or object. DNs are used when a change is made to a user or groupdirectory entry. Directory server entries are typed by an objectclassattribute, which allows searching for those entries with a particularvalue to the objectclass attribute. To search a company's salesdepartment of a United States corporation, for example, an Directoryserver query in the Uniform Resource Locator (URL) format:

ldap://ldap.corp.com/ou=sales,o=corp,c=us??sub?objectclass=person

[0012] This returns all person entries in the directory tree below theentry named by Organizational Unit Name=sales; Organization Name=corp;and Country Name=US. After entries are made for a directory,administration of these entries can be made easier by grouping theseentries.

[0013] As shown before in FIG. 3, typical directory tree organizesentries only hierarchically. This structure may not be optimal forshort-lived or changing organizations where groupings can be made basedon an arbitrary user attribute. Moreover, in a typical directory system,a client application is tasked with determining the type of groupingsdesired and providing the logic for search requests to achieve thedesired results. One could garner some efficiencies in the clientapplication logic by pushing some complexity to the server side. Butthere is no known system that provides such a solution. Accordingly,there is discovered a need for an advancement in the art.

SUMMARY

[0014] An X.500 (or LDAP) style directory service provides a standardinterface for client software to retrieve information about entities(usually people and network elements) from a centrally managed datarepository. For example, an e-mail server application may want toretrieve the e-mail address for a person by supplying the person's fullname. A traditional directory server can apply certain semantics to theinformation it holds, based on client identity. For example, rights tomodify a password attribute may only be granted to the user's ownpassword and to an administrator from the same department as the user.However, extending this type of enhanced interpretation of directorydata in the context of a system function outside the directory serverproved problematic.

[0015] As an example, consider a web accounting application that needsto restrict the creation of purchase orders to purchasing departmentstaff, unless the order value is less than $1000 in which case managerscan place orders. With a traditional Directory Service the applicationcan choose to store an attribute for each person entry which dictatesthe maximum value purchase order that person may create. This scheme hasthe disadvantage that the logic behind the assignment of order value toeach person may be lost.

[0016] In addition, if the purchase policy should change, the value mustbe changed for each and every person. So, another approach would be tostore a description of the purchasing polity in the directory server, orperhaps externally. This scheme retains the policy logic, and allowseasy policy changes, however the accounting software now has to“understand” the directory structure and schema. In addition, when thereare many such applications, each one will now have its own policymechanism most likely all incompatible meaning increased training andsupport costs.

[0017] The presently disclosed mechanisms—roles and class ofservice—seek to provide directory applications like the purchasingexample above with a mechanism by which they can delegate to thedirectory server responsibility for implementing their policies. Thusthe benefits of a centrally managed directory service (one managementmechanism, tight control can be maintained) are retained while allowingdirectory applications to flexibly implement a range of policies.

[0018] For example, consider the case of a corporate purchaseimplemented in a system that provides for roles and class of service.One can define a role signifying ability to enter purchase orders. Thismight have a filter like “employee type=manager ordepartment=purchasing”. The purchasing application now needs only tocompare the role attribute on a given person's entry in the directorywith the name of the “can purchase” role to determine if a purchaserequest is valid. In addition, one might define a class of service whichgenerates an attribute indicating the maximum purchase order value forevery employee. The definition can be such that employees without the“can purchase” role have a zero value; employees with the can purchaserole and who are not in the purchasing department have value 1000; andthose with the “can purchase role” which are in the purchasingdepartment have value 1000000000. Note that in this example no real datais stored in user entries—the directory server generates the data fromthe policies embodied in the role and class of service definitions. Thefollowing table shows some differences between approaches: Central Easeof Management Maintenance Client Complexity Static groups Yes No MediumDynamic groups Yes Yes High External Application No Possibly very Logichigh Roles and COS Yes Yes Low

[0019] Accordingly, in an aspect, the present disclosure is directedtoward grouping entries in a directory server. In particular, twomethods of grouping entries and sharing attributes between entries aredisclosed. These are “roles” and “class of service.”

[0020] Role is a comprehensive grouping mechanism. In a client-serverdirectory system, roles transfer some of the complexity to the directoryserver. A role is defined by its role definition entry. Roles enableapplications to locate the roles of an entry, rather than select a groupand browse the members list. Additionally, roles allow for support ofgenerated attribute values, and directory server-performed membershipverification for clients. By changing a role definition, a user canchange an entire organization with ease. Any client with appropriateaccess privileges can discover, identify and examine any roledefinition. Any client with an appropriate access privilege can add anew role definition, or modify existing role definitions. Further, roledefinitions can be replicated in a distributed environment. Each rolehas entries called “members.” Members of a role are said to “possess”the role.

[0021] A client application can perform the following operations onroles.

[0022] (1) Enumerate the members of the role;

[0023] (2) Obtain an enumerated list of role members, which can beuseful for resolving queries for group members quickly;

[0024] (3) Determine whether a given entry possesses a particular role;

[0025] (4) Determine the roles possessed by an entry, which can help aclient-side application to determine whether the entry possesses thetarget role;

[0026] (5) Enumerate all the roles possessed by a given entry;

[0027] (6) Assign a particular role to a given entry; and

[0028] (7) Remove a particular role from a given entry.

[0029] A client application can check role membership by searching thensRole attribute, which is computed by the directory server andtherefore is up-to-date. From the point of view of a client application,the method for checking membership is uniform and is performed on theserver side.

[0030] Roles are classified as simple and complex. An example of asimple role is a Managed role, which allows a user to create an explicitenumerated list of members. Managed roles are added to entries using thensRoleDN attribute. Examples of complex roles include (i) FilteredRoles, (ii) Nested Roles, and (iii) Enumerated Roles.

[0031] Briefly stated, the difference between the role types relates totheir capabilities, which depend on the implementation of these devices.For example, a managed role is just a label stored with a directoryentry, whereas a filtered role is defined by the characteristics ofentries. So one uses a “managed” role when one wants to just “give” orassign a role to an entry. When one wishes to identify all the entrieswith some characteristic, e.g., everyone who is a manager and works in adesignated building, a filtered role—which uses an LDAP filter in orderto search a designated portion of the directory system and to identifythose entries that possess the characteristics described in filter—isused. Nested roles are those that contain or include other types ofroles. Enumerated roles are possessed by an arbitrarily assigned list ofentries that may have nothing in common otherwise.

[0032] Filtered roles allow a user to assign entries to the roledepending upon the attribute contained by each entry. In an embodiment,a user assigns entries by specifying an LDAP filter. Entries that matchthe filter are said to possess the role. Nested roles allow a user tocreate roles that contain other roles. The user specifies the rolesnested within a nested role by using the nsRoleDN attribute. Anenumerated role provides an arbitrary list of members each of whichpossesses the enumerated role. The members that possess an enumeratedrole need not have any other common feature than the fact that they areall enumerated together in a particular list. Enumerated roles aresimilar to static groups except that no nesting is allowed within anenumerated role. If an enumerated role is possessed by a member which isitself a nested role, then the server software may take an indefiniteaction with regard to that member. A second difference betweenenumerated roles and a static group is that it is illegal to add amember to an enumerated group where that entry lies outside the subtreespecification.

[0033] Class of Service (CoS) allows a user to share attributes betweenentries in a way that is transparent to an application. This is achievedby generating the values of the attributes by a CoS logic at the time ofor immediately prior to the time the entry is transmitted to anapplication, rather than storing the values of the attributes with theattribute itself. In alternative embodiments, the attributes may begenerated at a time well before the time the entry is transmitted to anapplication.

[0034] A CoS includes a CoS Definition entry and a Template entry. Thesetwo entries interact to provide attribute values to target entrieswithin their CoS “scope” based on the DN of the CoS Definition entry,the attribute value stored in the target entry's CoS Template, and otherfactors. An entry may be within the scope of a CoS Definition entry butmay not be qualified to receive a value from the scheme made up of CoSDefinition and templates. A CoS specifier is an attribute which containsa value. The value of the CoS specifier is the attribute type which mustbe present in the entry and the value of that attribute determines theclass of the target entry. The absence of that attribute may determineif the target entry qualifies for a default value under the scheme.Thus, the presence or absence of the target entry's CoS specifierdetermines whether the target entry qualifies for a value.

[0035] The CoS Definition entry, which is stored as an LDAP subentrybelow the branch at which it is effective, identifies the type of CoSbeing used. The Template entry contains a list of attribute values thatare shared. Any change made to the template entry's attribute values isautomatically applied to all entries that share the attribute. Dependingon how a Template entry is identified, three types of CoS arecontemplated in this disclosure: Classic CoS, a Pointer CoS, andIndirect CoS. Classic CoS identifies a template entry by both its DN andthe value of one of a target entry's attributes. Pointer CoS identifiesa template entry using only a Template DN. There can be only oneTemplate DN for each pointer CoS. Indirect CoS identifies a templateentry using the value of one of a target entry's attributes, which mustcontain the DN of an existing entry.

[0036] Roles and Classic CoS can be used together to provide role-basedattributes, which appear on a target entry because the target entrypossesses a particular role with an associated CoS template.

BRIEF DESCRIPTION OF THE DRAWINGS

[0037] These and other features of the principles disclosed herein aremore readily understood from the following detailed description and theaccompanying drawings where like numbers designate like parts, whichdrawings are incorporated in and constitute a part of thisspecification, and wherein,

[0038]FIG. 1 is a client-server architecture depicting a directoryserver interacting with a directory user agent;

[0039]FIG. 2 shows the relationship between some X.500 object classes;

[0040]FIG. 3 shows a hierarchically arranged instance of X.500 datatree;

[0041]FIG. 4 depicts a directory information model;

[0042]FIG. 5 is a block diagram that illustrates a computer system uponwhich an embodiment of the disclosed system and method can beimplemented;

[0043]FIG. 6 depicts the relationship between Object Classes andAttribute Types/Syntax to Entries;

[0044]FIG. 7 illustrates a managed role definition;

[0045]FIG. 8 illustrates an instantiation of a managed role;

[0046]FIG. 9 depicts a filtered role definition;

[0047]FIG. 10 shows a nested role definition;

[0048]FIG. 11 shows an enumerated role definition;

[0049]FIG. 12 illustrates the concept of scope of a role;

[0050]FIG. 13 depicts the steps performed at the server in enumeratingthe entries that possess a given role;

[0051]FIG. 14 illustrates a Classic Class of Service (CoS) scheme;

[0052]FIG. 15 illustrates the concept of scope of a class of service;

[0053]FIG. 16 illustrates the relationship between the class templateentries for a given CoS scheme;

[0054]FIG. 17 shows the relationship of an entry's RDN to an entry's DN;

[0055]FIG. 18 shows a Classic CoS definition;

[0056]FIG. 19 shows an example of two corresponding template entriesusing Classic Cos;

[0057]FIG. 20 illustrates a Pointer CoS scheme;

[0058]FIG. 21 illustrates a Classic CoS scheme;

[0059]FIG. 22 illustrates a Pointer CoS definition;

[0060]FIG. 23 illustrates an indirect CoS scheme; and

[0061]FIG. 24 shows an indirect CoS definition.

DETAILED DESCRIPTION A. Computer Architecture

[0062] The presently disclosed system and method can be implementedusing hardware, software or a combination of hardware and software.Specifically, the disclosed system and method can be implemented usingeither object-oriented programming languages, like the Java and C++programming languages, or procedural programming languages such as the Cprogramming language. The disclosed system and method can be implementedusing a computer system with a single personal computer or a network ofmultiple computers.

[0063] Reference will now be made in detail to exemplary embodiments ofthe disclosed system which are also illustrated in the accompanyingdrawings. Although the description includes exemplary embodiments, itcan be easily seen that other embodiments are possible, and changes canbe made to the embodiments described without departing from the spiritof the disclosed system and method.

[0064]FIG. 5 is a block diagram that illustrates a computer system 100upon which an embodiment of the disclosed system and method can beimplemented. Computer system 100 includes a central processor unit (CPU)104 such as the SPARC® microprocessor, which is coupled via bus 102 toother devices such as memory device 106 such as a semiconductor memoryor other Random Access Memory (RAM) device, storage device 110 such as adisk drive, input device 114 such as a keyboard, mouse, joystick,touch-sensitive pad, microphone or camera, and output device 112 such asCRT, flat-panel display, speaker, Light Emitting Diodes, or the like.Computer system 100 also includes a communication interface 118 coupledto bus 102. Communication interface 118 provides a two-way datacommunication coupling to a network link 120 that is connected to localnetwork 122. Configured on the storage device 110 is a one or moredatabases such as the LDBM, the Oracle Relational Database ManagementSystem, or a flat file. It should be noted that the one or moredatabases could be configured on a different processor or set ofprocessors than the CPU 104, and could be coupled to the computer system100 via a network connection.

[0065] Consistent with one implementation of the disclosed system andmethod, information from the multiple remote resources is provided bycomputer system 100 in response to CPU 104 executing one or moresequences of one or more instructions contained in main memory 106. Suchinstructions can be read into main memory 106 from anothercomputer-readable medium, such as the storage device 110. Execution ofthe sequences of instructions contained in main memory 106 causes CPU104 to perform the process steps described herein. In an alternativeimplementation, hard-wired circuitry can be used in place of or incombination with software instructions to implement the disclosed systemand method. Thus implementations of the disclosed system and method arenot limited to any specific combination of hardware circuitry andsoftware.

[0066] As used in this application, the word selection or input includesinputting any information by way of pressing a key, mouse button,touching a touch-sensitive area, spoken word(s), infra-red or otheroptical method, or via a wireless method.

[0067] The term “computer-readable medium” as used herein refers to anymedium that participates in providing instructions to CPU 104 forexecution. Such a medium can take many forms, including but not limitedto, non-volatile medium, volatile medium, and transmission medium.Non-volatile medium includes, for example, optical or magnetic disk,such as storage device 110. Volatile medium includes dynamic memory,such as main memory 106. Transmission medium includes coaxial cable,copper wire and fiber optics, including the wires that include bus 102.Transmission medium can also take the form of an acoustic or a lightwave, such as that generated during radiowave and infrared datacommunication. Common forms of computer-readable media include, forexample, a floppy disk, a flexible disk, hard disk, magnetic tape, orany other magnetic medium, a CD-ROM, any other optical medium, punchcards, papertape, any other physical medium with patterns of holes, aRAM, PROM, EPROM, a FLASH-EPROM, any other memory chip or cartridge, acarrier wave as described hereinafter, or any other medium from which acomputer can read.

[0068] Various forms of computer readable media can be involved incarrying one or more sequences of one or more instructions to CPU 104for execution. For example, the instructions can initially be carried onmagnetic disk of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 100 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detectorcoupled to bus 102 can receive the data carried in the infra-red signaland place the data on bus 102. Bus 102 carries the data to main memory106, from which CPU 104 retrieves and executes the instructions. Theinstructions received by main memory 106 can optionally be stored onstorage device 110 either before or after execution by CPU 104.

[0069] Communication interface 118 can be an integrated services digitalnetwork (ISDN) card or a modem to provide a data communicationconnection to a corresponding type of telephone line. As anotherexample, communication interface 118 can be a local area network (LAN)card provide a data communication connection to a compatible LAN.Wireless links can also be implemented. In any such implementation,communication interface 118 sends and receives electrical,electromagnetic or optical signals that carry digital data streamsrepresenting various types of information.

[0070] Network link 120 typically provides data communication throughone or more networks to other data devices. For example, network link120 can provide a connection through local network 122 to a hostcomputer 124 and/or to data equipment operated by an Internet ServiceProvider (ISP) 126. ISP 126 in turn provides data communication servicesthrough the Internet 128. Local network 122 and Internet 128 both useelectric, electromagnetic, or optical signals that carry digital datastreams. The signals through the various networks and the signals onnetwork link 120 and through communication interface 118, which carrythe digital data to and from computer system 100, are exemplary forms ofcarrier waves transporting the information.

[0071] Computer system 100 can send messages and receive data, includingprogram code, through the network(s), network link 120 and communicationinterface 118. In the Internet example, a server 130 might transmit arequested code for an application program through Internet 128, ISP 126,local network 122 and communication interface 118. In accordance withthe presently disclosed system and method, one such downloadedapplication links a user to a directory record by associating a uniquereference identifier with both the user and the record, as describedherein. The received code can be executed by CPU 104 as it is received,and/or stored in storage device 110, or other non-volatile storage forlater execution. In this manner, computer system 100 can obtainapplication code in the form of a carrier wave.

[0072] Although computer system 100 is shown in FIG. 1 as beingconnectable to one server, 130, those skilled in the art will recognizethat computer system 100 can establish connections to multiple serverson Internet 128. Furthermore, the computer system 100 is one that can beconfigured to perform the function of (an X.500 or an LDAP) directoryserver as will be explained in the following.

B. Overview of Static and Dynamic Groups

[0073] Groups are typically defined based on certain commoncharacteristics of the members of the groups. A member can be includedin a group if the member has an attribute of a specific type. Groups canbe static or dynamic. A “static” group is one which where membership isspecified by presence in a list. An analogy would be a piece of paperwith a list of names. Anyone named on the paper is in the group.Membership may change at any time, just as one might cross a name offthe paper list or write in a new name. So they are not terribly static.

[0074] A dynamic group is one where membership is inherent in someproperty of the entries. For example a group containing a number ofpersons in a building might be “everyone on the third floor”, and thiswould be defined by a filter (query) against the directory for“floor=3”. As people are moved around the building, they may become partof the floor3 group, or leave it, depending on their location. A keyfeature of dynamic groups is that they require no explicit maintenance—astatic group which is intended to contain everyone on the third floorwould need to be maintained, either manually or by a script and so wouldbe either prone to error or not always up to date. There are alsoimplementation efficiency issues relating to static versus dynamicgroups. Thus, in a dynamic group, instead of looking at a groupattribute to verify if a user possesses the group attribute, membershipis determined by checking a user attribute, which can be specifiedarbitrarily.

C. Overview of Roles

[0075] A role is a comprehensive entry grouping mechanism, similar tothe group concept. Role unifies the concepts of static and dynamicgroupings, but transfers some of the complexity to the server side fromthe client side. While dynamic groups contemplate a hierarchicaltree-like structure of an organization, roles assume that logically anorganization structure could be substantially flat or hierarchical.

[0076] The directory system expresses the fact that an entry possess arole by placing the Distinguishing Name (DN) of the role in a computedand operational attribute, for example, the nsRole attribute. A computedattribute is one that is computed on the fly; it is a result of acomputation. A computed attribute does not need to exist in a physicalform; it can be stored temporarily in memory. An LDAP operationalattribute is one that is available only if requested. The attributensRole is both computed and operational.

[0077] Each entry assigned to a role contains an attribute callednsRole, which is a computed attribute that specifies all of the roles towhich an entry belongs. Roles enable applications to locate the roles ofan entry, rather than select a group and browse the members list.Additionally, roles allow for support of generated attribute values, anddirectory server-performed membership verification for clients. Bychanging a role definition, a user can change an entire organizationwith ease. Moreover, roles can use the LDAP Virtual List View (VLV)control mechanism to enumerate the membership in a role.

[0078] A role is defined by a role definition entry. A role is uniquelyidentified by the distinguished name (DN) of its defining entry. Roledefinition entries are implemented as LDAP subentries. Thus, a roledefinition entry inherits subentry mechanism for scope of application toa DIT subtree. An aspect of a role is that each role is defined by anentry stored in the DIT. Any client or program executing on the a clientwith appropriate access privileges can discover, identify and examineany role definition. Any client or client program with an appropriateaccess privilege can add a new role definition, or modify existing roledefinitions. Further, role definitions can be replicated in adistributed environment.

[0079] Each role has entries called “members.” Members of a role aresaid to “possess” the role. Two varieties of roles are possible: simpleroles, and complex roles. This classification, in one aspect, allows forimplementation efficiency and supports some management functions. Aclient application can perform the following operations on roles.

[0080] (1) Enumerate the members of the role.

[0081] (2) Obtain an enumerated list of role members, which can beuseful for resolving queries for group members quickly.

[0082] (3) Determine whether a given entry possesses a particular role.

[0083] (4) Determine the roles possessed by an entry, which can help aclient-side application to determine whether the entry possesses thetarget role.

[0084] (5) Enumerate all the roles possessed by a given entry.

[0085] (6) Assign a particular role to a given entry.

[0086] (7) Remove a particular role from a given entry.

[0087] A client application can check role membership by searching thensRole attribute, which is computed by the directory server andtherefore is up-to-date. From the point of view of a client application,the method for checking membership is uniform and is performed on theserver side.

Roles and Dynamic Groups

[0088] One of the differences between roles and dynamic groups is thatdynamic groups impose a requirement on a directory client program toretrieve and correctly process the group definition. This makes clientsoftware more complex, reduces performance and brings the potential forerrors on the client, either accidental or deliberate. Roles introducean abstract membership test mechanism which allows responsibility formembership to rest with the directory server. The client only has toknow the name of a role which is of interest to it, and how to test rolemembership in general.

Role Operations

[0089] Given arbitrary roles and entries, the following operations areuseful to clients:

[0090] 1. Enumerate the members of a role (i.e., provide an answer tothe question, “which entries have this role?”) It is also useful to beable to resolve this query in a reasonable time (significantly less thanthe time to find the members by brute force examination of all theentries). It is also useful to be able to retrieve the entries in apaged or browsing fashion, using the existing LDAP VLV mechanism.

[0091] 2. Determine whether a given entry possesses a particular role.It is useful to be able to do this more efficiently than by determiningall the roles possessed by the entry and then checking whether thetarget role is among that set of roles.

[0092] 3. Enumerate all the roles possessed by a given entry.

[0093] 4. Assign a particular role to a given entry.

[0094] 5. Revoke a particular role from a given entry.

[0095] It should be noted that when operations are performed on roles,the CPU 104 can be programmed to search for roles possessed by entriesusing boolean operators. More specifically, the following booleanoperators can be used in determining whether an entry possesses a givenrole. Operator Symbol Operation Equal = An instance of a searchattribute exactly matches a role possessed by an entry. Contains * Awild card operator to allow presence check or partial matches. Soundslike ˜= Operator used in name searches. Greater than or equal >= Used innumerical searches. Less than or equal <= Used in numerical searches.Negation ! Used to negate an expression. AND & Used to combineexpressions. OR | Used to select from expressions.

Simple and Complex Roles

[0096] Imagine that all roles were treated similarly. A role definitioncould be as complex as required or desired. An example of a highlycomplex role would be that of a nested role whose component rolesincluded filters using custom matching rules and attribute syntax.

[0097] 1. Membership enumeration: to enumerate the members, a clientwould need to separately enumerate the component roles, by submittingsearch operations to the server. The results would need to be aggregatedby the client, eliminating any duplicates. This can be more complex andonerous for users that need only simple role operations.

[0098] 2. Determine whether a given entry possesses this role: this isdifficult for a client to do. A brute force method would inefficient.Some associative indexing scheme could potentially help but can be hardto implement in an efficient manner.

[0099] 3. Enumerate all the roles possessed by a given entry—this ismore computationally complex than determining whether an entry possessesa particular role.

[0100] 4. Assign a particular role to a given entry—this alsocomputationally complex, because it requires semantic knowledge of roledefinition.

[0101] 5. Revoke a particular role from a given entry—similar to (5)above, this is complex because it requires semantic knowledge of roledefinition.

[0102] For a complex role such as the example used above, it is hard orvery hard to implement any of the five desirable role operations.Therefore it would be convenient to define a role type with deliberatelylimited flexibility, which role is called a “simple” role. The simplerole allows all five of the desirable role operations to be implementedrelatively easily and efficiently. Any role that is not a simple role isby definition a complex role. In the role definition schema, there aretwo “abstract” object classes to distinguish between simple and complexroles: nsSimpleRole and nsComplexRole. The relationship between ObjectClasses and Attribute Types/Syntax to Entries are shown in FIG. 6.

Simple Roles

[0103] A simple role has the following properties:

[0104] 1. Enumerating role membership is easily and efficientlyimplemented—This enumeration can be done using VLV controls, allowingfor better scaling and user experience.

[0105] 2. Computationally less complex and efficient to test an entryfor possession of a particular role.

[0106] 3. Computationally less complex and efficient to enumerate thesimple roles a particular entry possesses.

[0107] 4. It is obvious by inspection of the role definition how toassign a simple role to a given entry.

[0108] 5. It is obvious by inspection of the role definition how torevoke a simple role from a given entry.

Complex Roles

[0109] Roles which are not simple are deemed complex, with theimplication that one or more (perhaps all) of the five operations arecomputationally more complex than for the simple roles. Clients andmanagement agents can determine whether a given role is of the simple orcomplex kind, allowing a user interface (UI) to act appropriately. Theapplication developer can choose not to support or support in a limitedor inefficient manner some server features which use roles, when thetarget role is complex. Internal to the server, it is also possible todeliver notification to subsystems when entries move in and out ofsimple group membership. This can be used to keep metadata cached forperformance reasons coherent with the DIT contents.

Implementing Simple and Complex Roles

[0110] Role is a more flexible entry grouping method than dynamic groupsin part because a role allows a client to obtain the results normallyobtained using static or dynamic groups without increased clientcomplexity. A role can be configured in a number of ways to providedifferent results. Four types or roles are disclosed herein. They are,(1) Managed Role; (2) Filtered Role; (3) Nested Role; and (4) EnumeratedRole.

Managed Role

[0111] An example of a simple role is a managed role with object classnsManagedRole. Managed roles are added to an entry by adding thensRoleDN attribute to the entry. Membership of a managed role isconferred upon an entry by adding the role's DN to the entry's nsRoleDNattribute.

[0112] A “managed” role is one that can be configured to provide searchresults similar to those available with a static grouping mechanism,i.e., to create a group entry that contains a list of members. Managedroles allow a user to create an explicit enumerated list of members.FIG. 7 shows an example of a managed role definition. FIG. 8 depicts anexample entry with a managed role.

[0113] An example of an entry with this role is as follows.

Defining a Managed Role

[0114] As an example, suppose one wants to create a role to be assignedto all marketing staff. Membership of a managed role is conferred uponan entry by adding the role's DN to the entry's nsRoleDN attribute. Theuser can execute a script “ldapmodify” as follows:

[0115] ldapmodify -D “cn=Directory Manager” -w secret -h host -p 389

[0116] Then the user can specify a managed role as follows:

[0117] dn: cn=Marketing,ou=people,dc=siroe,dc=com

[0118] changetype: add

[0119] objectclass: top

[0120] objectclass: LDAPsubentry

[0121] objectclass: nsRoleDefinition

[0122] objectclass: nsSimpleRoleDefinition

[0123] objectclass: nsManagedRoleDefinition

[0124] cn: Marketing

[0125] description: managed role for marketing staff

[0126] The user can then assign the role to a marketing staff membernamed Bob by executing ldapmodify as follows:

[0127] ldapmodify -D “cn=Directory Manager” -w secret -h host -p 389

[0128] dn: cn=Bob,ou=people,dc=siroe,dc=com

[0129] changetype: modify

[0130] add: nsRoleDN

[0131] nsRoleDN: cn=Marketing,ou=people,dc=siroe,dc=com

[0132] . . .

[0133] add: description

[0134] description: Has the marketing managed role

[0135] . . .

Complex Roles

[0136] Three kinds of complex roles are disclosed herein, viz, filtered,nested and enumerated roles, with corresponding object classesnsFilteredRole, nsNestedRole and nsEnumeratedRole. Other complex roletypes are also possible.

Filtered Role

[0137] A “filtered” role can be configured to provide results similar tothose produced by a dynamic grouping mechanism. This can be achieved byconfiguring the entries in such a way as to match a “filter”. Dynamicgroups allow a user to filter entries that contain a particularattribute and include them in a single group. After creating a role in asimilar manner to that of a managed role, a user assigns entries to afiltered role based on a particular attribute contained by each entry.This is done by specifying an LDAP filter. Entries that match the filterare said to possess the role.

[0138] A filtered role specifies an LDAP filter of arbitrary complexity.Entries matching the filter and within the sub tree specification aresaid to possess the role. FIG. 9 shows an example of a filtered roledefinition.

Defining a Filtered Role

[0139] As an example, consider a filtered role for sales managers. Theuser can execute a script “ldapmodify” as follows:

[0140] ldapmodify -D “cn=Directory Manager” -w secret -h host -p 389

[0141] The user can then specify the filtered role as follows:

[0142] dn: cn=SalesManagerFilter,ou=people,dc=siroe,dc=com

[0143] changetype: add

[0144] objectclass: top

[0145] objectclass: LDAPsubentry

[0146] objectclass: nsRoleDefinition

[0147] objectclass: nsComplexRoleDefinition

[0148] objectclass: nsFilteredRoleDefinition

[0149] cn: SalesManagerFilter

[0150] nsRoleFilter: o=sales managers

[0151] Description: filtered role for sales managers

[0152] The following entry would match the filter and therefore be amember of this filtered role:

[0153] dn: cn=Pat, ou=people,dc=siroe,dc=com

[0154] objectclass: person

[0155] cn: Pat

[0156] sn: Pat

[0157] userPassword: bigsecret

[0158] o: sales managers

[0159] Description: has a filtered role

Nesting in Groups

[0160] Suppose a static group points to a list of entries. If one ofthese entries in the list happens to be a group, the client side codeshould identify and interpret that as a group and expand the group toobtain the entries that fall into that group. If there is no client-sidecode to identify and interpret a group in a list of entries, then theentry representing a group will be treated as an entry representing anindividual member. This is the way nesting is performed in LDAP groups.Thus, in the case of static groups, the client has to interpret thenesting, and when it comes across a group, it has to expand the group.

Nested Role

[0161] Nesting with roles can be easily achieved. A nested role is acontainer of other roles. To nest, the DNs corresponding to the rolesare added or encapsulated to form the nested role. A “nested” role canbe configured to provide an additional level of abstraction by nestingdifferent role types—filtered, managed, enumerated or nested—whereby anentry can be a member of any one of the roles in the nesting. Nestedroles allow a user to create roles that contain other roles. A nestedrole can be created with no members nested. Alternatively, a nested rolemay contain one or more members. It should be noted that the nesting orencapsulation is performed if (1) the target entry is within the scopeof the role; and/or (2) target entry is within the scope of the rolethat causes the target entry to possess the nested role.

[0162] For example, if a target entry possesses manager role, then italso possesses the megamanager role. Likewise, if a target entrypossesses network manager role, then it also possesses the megamanagerrole. These two roles, sales manager role and network manager role arenested within the megamanager role. There can be an arbitrary number ofnested within the megamanager role. In this example, an object classnsNestedRole defines the megamanager role to be a nested role. Includedin this nesting are the two roles—sales manager and networkmanager—possessed by the megamanager role. It should be noted that anentry cannot be assigned a nested role. An entry may possess a nestedrole by also possessing a role which is nested within the nested role.

[0163] Assume an E-mail application. Suppose one wishes to send amessage to both sales managers and network managers. Assume further thatthe sender is aware of the E-mail address of the megamanager role. Withnested role, the E-mail can be directed toward the megamanager role, andall roles that are nested within the mega manager role—in this example,all sales managers and all network managers—will receive a copy of theE-mail. To do this the application has only to test to ensure that thecandidate entry to whom it sends the E-mail possesses the megamanagerrole, and not the particular role, whether sales manager or networkmanager. In the case of static groups, the client application has tointerpret a group to decide whether an entry is a member of the group.In the case of roles, there is no need to do this. It is sufficient totest for the role value in the nsRole attribute.

[0164] The roles nested within the nested role are specified using thensRoleDN attribute. FIG. 10 shows an example of a nested roledefinition.

Defining a Nested Role

[0165] Suppose a user wishes to create a role that contains both themarketing staff and sales managers contained by the roles created in theprevious examples. A nested role created using the script “ldapmodify”may appear as follows:

[0166] dn: cn=MarketingSales,ou=people,dc=siroe,dc=com

[0167] changetype: add

[0168] objectclass: top

[0169] objectclass: LDAPsubentry

[0170] objectclass: nsRoleDefinition

[0171] objectclass: nsComplexRoleDefinition

[0172] objectclass: nsNestedRoleDefinition

[0173] cn: MarketingSales

[0174] nsRoleDN: cn=SalesManagerFilter,ou=people,dc=siroe,dc=com

[0175] nsRoleDN: cn=Marketing,ou=people,dc=siroe,dc=com

[0176] Both the users in the previous examples, Bob and Pat, would bemembers of this new nested role.

Defining an Enumerated Role

[0177] An enumerated role, as the name indicates, is an enumeration or alist of members. These members are members that possess this role. Themembers need not have anything else in common. Only individual members,and not roles such as the aforementioned sales manager roles are allowedin an enumerated role.

[0178] An enumerated role is the static group reborn, but with twoimportant differences. No nesting is allowed within an enumerated role,which permits a valuable optimization not possible with static groups.The behavior of an enumerated role that includes a nesting can beundefined or implementation-dependent.

[0179] Another difference between static groups and enumerated roles isthat enumerated roles have a scope and LDAP groups do not have scope.Scope of a role includes, as defined elsewhere in this application, allentries in the directory tree that are at or below the level at whichthe role is defined. It is illegal to add a member to an enumeratedgroup where that entry lies outside the subtree specification. Thedirectory server software interprets an enumerated list and performs arequired operation on the list members. An example of an enumerated roledefinition is shown in FIG. 11.

[0180] Taking the E-mail application example from before, if an E-mailis sent to an address that is mapped to the DN of peonrole, which is anenumerated role, then the client tests for the existence of the rolepeonrole and routes the E-mail to all entries that possess peonrole.

[0181] Table 1 lists object classes and attributes associated with eachrole type. Table 2 delineates how the roles are implemented. TABLE 1Object Classes and Attributes for Different Role Types Role Type ObjectClass Attributes Managed Role nsManagedRoleDefinition description(optional) Filtered Role nsFilteredRoleDefinition nsRoleFilterdescription (optional) Nested Role nsNestedRoleDefinition nsRoleDNdescription (optional) Enumerated Role nsEnumeratedRoleDefinitiongroupmember description (optional)

[0182] TABLE 2 Role Implementation Managed Filtered Nested EnumeratedRole Role Role Role Membership LDAP search LDAP subtree No generic Nogeneric Enumeration with filter search with method. method. nsRoleDN =baseDN from the <role's dn> subtree (indexed and specification andsupports VLV) filter from the nsRoleFilter attribute. (VLV indexingoptional) Membership test LDAP compare LDAP compare LDAP compare LDAPcompare against against nsRole against nsRole against nsRole nsRoleDNattribute. attribute. attribute or attribute. LDAP compare entry's DNagainst Role's groupmember attribute. Role Read nsRoleDN Read nsRoleRead nsRole Read nsRole Enumeration attribute. attribute. attribute.attribute. Assign Role LDAP modify, Marginally Marginally Add entry's DNadd role's DN to meaningful. meaningful. to the role entry's nsRoleDNmembership list. attribute. Revoke Role LDAP modify, MarginallyMarginally Remove entry's remove role's DN meaningful. meaningful. DNfrom the role from nsRoleDN entry's attribute. membership list.

[0183] It should be noted that roles inherit from the ldapsubentryobject class which is defined by the IETF based in part on the subentryconcept defined in the ISO standard, ISO/IEC X.509. Further, it shouldbe noted that once roles are created, graphical user interfaces can bedesigned to view, edit, modify, inactivate, reactivate, or delete roleor role entries.

Roles and Access Control

[0184] Access control rules can be defined such that the roles possessedby an entry determine its access rights. A directory server storesinformation to control access to roles in an attribute named AccessControl Information (ACI). ACI stores the directory server accesscontrol information for a particular entry. ACIs take the general form

aci: (<target>)(version 3.0;acl“<name>”;<permission><bind rule>;)

[0185] where,

[0186] <target> defines the object, attribute, or filter used to definewhat resource to controlling access to. The target can be a DN, one ormore attributes, and/or a single LDAP filter. Target identifies whatdirectory entry the ACI applies to. The target can be, (a) a directoryentry (usually a branch of an organization's directory tree); (b) adirectory entry and one or more entry attributes; or (c) a group ofentries and/or attributes that are the result of a single LDAP filter.

[0187] version 3.0 is a required string that identifies the ACL version.

[0188] ad “<name>” is a name for the ACI. <name> can be any string thatidentifies the ACI. The ACI name is required.

[0189] <permission> defines the actual access rights and whether theyare to be allowed or denied. Permissions specify the type of accessallowed or denied. An organization can either allow or deny an entityfrom performing specific operations to the directory. The variousoperations that can be assigned are known as rights. In oneimplementation, by default all users are denied access rights of anykind. The exception to this is the user defined in the Root DN parameterof an LDAP directory. This user is known as the root or unrestricteduser. The unrestricted user has full access to a directory regardless ofthe permissions set for the directory. For this reason, user must setsome permissions for a directory if a user wants any normal users to beable to access the directory. There are two parts to settingpermissions: (a) Allowing or denying access; and (b) Assigning rights.

[0190] <bind rule> identifies the circumstances under which thedirectory log in must occur in order for the ACI to take effect. Bindingrefers to logging in or authenticating to the directory. Thecircumstances under which binding occurs determine whether access to thedirectory is allowed or denied. Every permission set in an ACI has acorresponding bind rule that details the specific circumstance underwhich binding must occur for the ACI to be applied. Bind rules can besimple, for example, a bind rule can simply state that the personaccessing the directory must belong to a specific group. Bind rules canalso be more complex, for example, a bind rule can state that a personmust belong to a specific group and must log in from a machine with aspecific Internet Protocol (IP) address, during between 8 AM and 5 PM.Whether access is allowed or denied depends on whether an ACI's bindrule is evaluated to be true. Bind rules use one of the two followingpatterns: (a) <keyword>=“<expression>”; and (b)<keyword>!=“<expression>”, where equal (=) indicates that <keyword> and<expression> must match in order for the bind rule to be true, and notequal (!=) indicates that <keyword> and <expression> must not match inorder for the bind rule to be true. Bind rules tell who can access thedirectory, when, and from where. More specifically, bind rules specifythe users and groups that can access the directory, the location fromwhich an entity must bind, the time or day on which binding must occur,or the type of authentication that must be in use during binding.Additionally, bind rules can be complex constructions that combine bindmethods using Boolean operators. More on ACI syntax is located athttp://docs.iplanet.com/docs/manuals/directory/admin30/adminix.htm,visited Feb. 8, 2001, which description is incorporated herein byreference in its entirety.

[0191] To implement access control for roles, the ACI syntax of adirectory server could be extended to support a “role” property. In somecases a user may wish to protect the value of the nsRoleDN attributewith an ACI, as the attribute is writable. Not every role is suitablefor use in a security context. When creating a new role, consider howeasily the role can be assigned to and removed from an entry. Sometimesit is appropriate for users to be able to easily add themselves to orremove themselves from a role. For example, if a user is part of aninterest group role called Mountain Biking, the user may want interestedusers to add themselves or remove themselves easily. But in somesecurity contexts such as account inactivation, it is inappropriate tohave open roles. By default, in some implementations, accountinactivation roles contain ACIs defined for their suffix. When creatinga role, the server administrator can decide whether a user can assignthemselves to or remove themselves from the role.

[0192] For example, user A possesses the managed role (MR). The MR rolehas been locked using account inactivation through the command line.This means that user A cannot bind to the server because thensAccountLock attribute is computed as “true” for that user. However,suppose the user was already bound and noticed that he is now lockedthrough the MR role. If there are no ACLs preventing him, the user canremove the nsRoleDN attribute from his entry and unlock himself.

[0193] To prevent users from removing the nsRoleDN attribute, thefollowing ACIs may be appropriate depending upon the type of role beingused.

Access Control with Managed Roles

[0194] Because management of managed roles requires access rights tomodify the target entries, it becomes important to control accessappropriately to the nsRoleDN attribute. Access control rules can bedefined which restrict modification access rights to just the nsRoleDNattribute. Furthermore, access control rules can be defined such that aparticular client is restricted to adding or removing a specific set ofvalues. This means that a particular client will be able to, say, assignand remove access to the accounting application (which is done by meansof a managed role), but the same client can not promote users to thesystem administrator managed role.

[0195] For entries that are members of a managed role, use the followingACI to prevent users from unlocking themselves by removing theappropriate nsRoleDN: aci: (targetattr=“nsRoleDN”) (targetattrfilters=“add=nsRoleDN: (!(nsRoleDN=cn=AdministratorRole,dc=siroe,dc=com)),del=nsRoleDN: (!(nsRoleDN=cn=nsManagedDisabledRole,dc=siroe,dc=com ))”)(version3.0; aci “allow mod of nsRoleDN by self but not to criticalvalues”; allow(write) userdn=“ldap:///self”;)

Access Control with Filtered Roles

[0196] The attributes that are part of the filter should be protected sothat the user cannot relinquish the filtered role by modifying anattribute. The user should not be allowed to add, delete and modify theattribute used by the filtered role. If the value of the filterattribute is computed, then all attributes that can modify the value ofthe filter attribute should be protected in the same way.

Access Control with Nested Roles

[0197] A nested role includes filtered and/or managed roles, so theabove points should be considered for each of the roles that include thenested role.

Roles Within Scope of an Entry

[0198] Every entry possessing a role has a “scope”. The scope of a rolestarts at the parent of the role entry and extends to all entrieshierarchically below the parent. The scope of a role at a given roleentry determines which other entries can possess the same role. Forexample, assume that there are two hierarchies of directories A and B(tree-structures) connected at the root level, as shown in FIG. 12.

[0199] Thus, the scope of a role defined for an entry at (subtree) levelA includes all the entries that are at and below subtree A. It should benoted that the scope of the role defined for an entry at (subtree) levelA does not include any entries that are defined at or below the subtreeB. In this way, the scope is a way of limiting the search for entriesthat possess a particular role. For example, suppose two roles, bothcalled Administrator, are defined at two subtrees A and B respectively.This could happen, for instance, in an organization where subtree A isthe directory hierarchy for computer systems that are in a particularnetwork (e.g., one campus of a company or a university), and the subtreeB is the directory hierarchy for computer systems that are in adifferent network (e.g., a different campus). Though there could be twoadministrator roles, one for each campus network, access permissionsgranted to one campus administrator could be different from thosegranted to an administrator of a different campus. The scope of subtreeA limits any access rights granted to an administrator of campus A fromallowing an entry possessing that administrator role to access computersunder subtree B.

Implementing Role Functions

[0200] The following algorithms can be used to implement certain rolefunctions described above. It should be noted that persons of ordinaryskill in the art can choose to implement these algorithms by alteringthe order of the steps described herein or by making inconsequentialmodifications.

a. Enumerating Entries that Possess a Role

[0201]FIG. 13 depicts the steps performed at the server in enumeratingthe entries that possess a given role: For each entry within scope, thecomputed attribute nsRole is calculated and then examined to see if therole is present. This results in a list of entries that possess therole. The list is thereafter returned to a client. The client receivesthe results of the search and enumerates all the entries returned.

Deciding between Roles and Groups

[0202] Roles transfer some complexity from the client side to the serverside. With roles, clients can check role membership by searching thensRole attribute. In the case of roles, the method for checkingmembership is uniform from the point of view of the client application,and is performed on the server side.

[0203] On the other hand, dynamic groups offer no client applicationsupport from the server to provide a list of group members. Instead, theapplication retrieves the group definitions and then runs the filter.For static groups, the application must make sure that the user is apart of a particular UniqueMember value. In this case, the method fordetermining group membership is not uniform for all applications.

[0204] Managed roles allow a user to perform all actions performednormally on static groups. Filtered roles allow a user to perform allactions normally performed on dynamic groups. While they decrease clientside complexity, roles increase the server side complexity, becauseevaluating roles is more resource intensive.

D. Overview of Class of Service

[0205] In many cases, properties considered to belong to an individualuser profile are in fact determined as a group by the user's “class ofservice” (CoS). Consider for example a voice mail system. Each user issubject to a number of resource limits including the number of messagespermitted in their mailbox; the maximum length of message which can berecorded; whether or not they're allowed to make outgoing calls via theautomated attendant. Rather than storing the individual values for eachof these resource limits on each users' directory entry, several classesof service are defined, each with resource limits appropriate to adifferent type of user. The “superuser” class might have very highresource limits while the “ordinary user” class would have lower limits.Now each user's directory entry need only contain the service class towhich they belong. This is both smaller than the complete set ofresource limit attributes, and also much easier to manage because thenumber of service classes is much smaller than the number of users.

[0206] As an example, suppose a directory contains thousands of entriesall of which share a common attribute for fax number,facsimileTelephoneNumber. Traditionally, in order to change the faxnumber, a client application would have to update each entryindividually. This is a large administrative task, and sometimes therecould be a risk of not updating all entries.

[0207] CoS enables the user to generate the attributefacsimileTelephoneNumber dynamically. The attributefacsimileTelephoneNumber is stored in one location in memory or instorage, and each entry points to that location to give a value to theentry's fax number attribute. To a client application, the CoSattributes appear just like all other attributes of an entry, despitethat CoS attributes are not stored with the entries themselves.

[0208] As shown in FIG. 14, each CoS includes the following entries in adirectory. (1) CoS Definition Entry, which identifies the type of CoSused. CoS is stored as an LDAP subentry below the branch at which it iseffective. (2) Template Entry. The template entry contains a list of theshared attribute values. Changes to the template entry attribute valuesare automatically applied to all the entries sharing the attribute.

Scope of Class of Service

[0209] A CoS for a target entry also has a “scope.” The scope of a CoSstarts at the parent of the CoS definition entry and extends to allentries hierarchically below the parent. The scope of a CoS at a givenCoS definition entry determines which other entries can possess the sameCoS. For example, assume that there are two hierarchies of directories Cand D (tree-structures) connected at the root level, as shown in FIG.15.

[0210] Thus, the scope of a CoS defined for an entry at (subtree) levelC includes all the entries that are at and below subtree C. It should benoted that the scope of the CoS defined for an entry at (subtree) levelC does not include any entries that are defined at or below the subtreeD. In this way, the CoS scope is a way of limiting the search forentries that possess a particular CoS attribute. For example, supposetwo CoS entries, both calledfacsimileTelephoneNumber, are defined at twosubtrees C and D respectively. This could happen, for instance, in anorganization where subtree C is the directory hierarchy for a particulardepartment (e.g., sales), and the subtree D is the directory hierarchyfor a different department (e.g., marketing). Though there could be adifferent fasimileTelephoneNumber for each department, suppose thatfaxes to the sales department should not arrive at the fax number forthe marketing department, and vice versa. The scope of the CoS attributefacsimileTelephoneNumber at subtree C automatically includes all entriesat or below the level A, and all employee entries defined at level Cwill be listed as having the facsimileTelephoneNumber defined at subtreeC.

[0211] A CoS includes a CoS Definition entry and a Template entry. Thesetwo entries interact to provide attribute values to target entrieswithin their CoS “scope” based on the DN of the CoS Definition entry,the attribute value stored in the target entry's CoS Template, and otherfactors. An entry may be within the scope of a CoS Definition entry butmay not be qualified to receive a value from the scheme made up of CoSDefinition and templates. A CoS specifier is an attribute which containsa value. The value of the CoS specifier is the attribute type which mustbe present in the entry and the value of that attribute determines theclass of the target entry. The absence of that attribute may determineif the target entry qualifies for a default value under the scheme.Thus, the presence or absence of the target entry's CoS specifierdetermines whether the target entry qualifies for a value.

Implementing CoS Feature in a Directory Server

[0212] Typically the CoS feature is implemented by an application andnot by the storage system which contains the user profile data (e.g. adatabase or directory server). This however is more by necessity thandesign, since these storage systems usually don't offer any CoScapability. This section describes a CoS facility for a DirectoryServer, which is suitably implemented in a plugin. It should be notedthat the same general principles can be extended to other storagesystems such as a Database, a flat file and the like.

[0213] CoS allows a user of a directory server to share attributesbetween entries in a way that is transparent to a client application.With CoS, some attribute values may not be stored with the entry itself.Instead, the attribute values are generated by a CoS logic as the entryis transmitted to a client application. Clients of the Directory Serverread user's entries in the normal way. The clients see attributes onthese entries as usual. Some attribute values may not have been storedwith the entry however, they have been generated by CoS logic as theentry is sent to the client.

[0214] The CoS Definition Entry and the Template Entry interact toprovide values to their target entries, which are entries within thescope of CoS Definition entry. The value the CoS Definition Entry andthe Template Entry provide to target entries depends on several factors:

[0215] (a) The entry's DN. (different CoS regimes can be maintained fordifferent portions of the DIT).

[0216] (b) A service class attribute value stored with the entry (forexample: “nsmail-cos:ordinary” in a Messaging Server). The absence ofthe attribute altogether can also imply a specific default CoS.

[0217] (c) The attribute values stored in a class template entry. Onesuch entry is selected to supply the attribute values for one particularservice class.

[0218] (d) The object class of the entry. CoS attribute values will onlybe generated where the entry has an object class which allows theattribute. If schema checking is turned off, this rule is not enforced.

[0219] (e) The attribute values stored in some particular entry in theDIT, for example a container entry.

[0220] (f) The attribute values stored in an entry pointed to by a DNstored in an attribute of the entry.

[0221] It should be noted that multiple CoS schemes can be definedwithin a server. In some embodiments, to define schemes such that theyconflict with each other might be regarded as an illegal definition.

[0222] As shown in FIG. 16, the class template entries for a given CoSscheme are all stored in the DIT, as children of a common parent entry.Each directory entry includes a relative DN (RDN). The relationship ofan entry's RDN to the entry's DN is pictorially shown in FIG. 17. Therelative DNs of the template entries are the respective values of aservice class attribute called cosSpecifier and a default RDN called“cosSpecifier-default”. The cosSpecifier is an attribute in the CoSDefinition entry, whose value is an attribute type that should appear ina target entry, the value of which target entry in turn determines whattemplate entry is to be applied. The default RDN value will be used whenthe service class attribute value is NULL or not present. For example, acosDefinition with a cosSpecifier value of “test”, would have a defaulttemplate of “test-default”.

[0223] First a CoS scheme, which includes a CoS definition, is created.Creating a CoS definition entry results in the creation of a CoSspecifier and a list of attributes which could be provided by the CoSdefinition entry. A CoS scheme also includes a CoS Template entry. Inorder for the CoS mechanism to work, a CoS schme must be associated withat least one template entry. If a CoS scheme is not associated with atleast one template entry, the scheme is ineffective. A CoS templateentry represents a set of attribute-value pairs that could be applied toa target entry. At a later time, any number of template entries—alsosometimes referred to as a service class—may be created under a givenCoS scheme. These CoS template entries are stored as children of acommon parent entry, which could be the CoS scheme entry with which thetemplate entry is associated, or a parent of the CoS scheme entry. Alsocreated with the CoS Definition entry is a list of attribute types thatare to appear in target entries; and a value of the CoS specifier, whichrepresents an attribute type that should appear in target entries, andwhich is used to decide among different possible templates.

[0224] From the client perspective, a service class is a property of anentry. The way to decide what class an entry has is by examining the CoSspecifier property of the entry and the value of the CoS specifierproperty in a target entry determines the template entry to be used.

Types of Classes of Service

[0225] Classes of service definitions (that is, all the information,save the template entries, needed in order to generate attribute valuesdefined by a CoS) are stored in LDAP Subentries, which can be locatedanywhere in the DIT. A directory server user may use different types ofCoS depending on how the user wishes to generate the values of dynamicattributes. There are three types of CoS: (a) Classic CoS; (b) PointerCoS; and (c) Indirect CoS. Corresponding to these different types ofCoS, CoS definition entries have objectclass cosClassicDefinition,cosPointerDefinition or cosIndirectDefinition:

Classic Class of Service

[0226] A classic CoS identifies the template entry by both its DN andthe value of one of the target entry's attributes. Classic CoS can havemultiple template entries, including a default CoS template to beapplied to those entries which do not belong to any other CoS template.

[0227] Classic CoS and Roles can be used together to provide role-basedattributes. These attributes appear on an entry because it possesses aparticular role with an associated CoS template. For example, one coulduse a role-based attribute to set the server look through limit on anyrole-by-role basis.

[0228] In Classic CoS, template entries are selected based on the valueof a specifier attribute in the entry. This is depicted in FIG. 18. Inthis example, a CoS specified by the attribute “mailServiceClass” isdefined. This service class set defines the values of attributes“mailboxquota” and “maySendExternalMail”. The values are to be takenfrom template entries stored in the DIT under “cn=LocalConfig,cn=MailServerCOS”. The service classes only pertain to entries withinthe portion of the tree under “ou=People, o=Netscape.com”. FIG. 19 showsan example of two corresponding template entries.

Using Classic CoS to Provide an Attribute-Value Pair to a Client

[0229] A client program may never even know the existence of a class ofservice in a directory system. The client merely looks to obtain a valueof an attribute for a given target entry, which could be a target entry.For example, suppose a client queries the directory for a fax numbercorresponding to a person John Doe. The client sends a request in a wayit does to any directory system, whether or not the directory systemimplemented fax number as a service class. Thus, the client is not awareof the implementation details of how or where the fax number for JohnDoe is stored or is computed.

[0230] Suppose that the organization of which John Doe is a part assignsa shared fax number to John Doe, Jane Roe and other individuals. In atypical directory system, the fax number (i.e., the actual numberrepresenting the fax number such as 650-555-1212) is stored in adirectory or other database in a record associated with John Doe. Butsince the attribute is shared by a number of people, and since therecould be changes to these people, it is better to store the fax numberin one location and assign a fax number attribute to the individualrecords corresponding to these individuals. In such a scheme, thedirectory server first receives a request for an attribute-value pairassociated with a target entry (John Doe), and looks up to determinewhich template entry is relevant to determining a value to the attributerequested. This is done by performing a search of a list ofattribute-value pairs which are associated with template entries. Thesetemplate entries are in turn associated with CoS Definition entries forinstances of attribute-value pairs that match the requested attributetype. A result of this search is a list of matched list ofattribute-value pairs. This list is stored in memory and a number ofconstraints are applied to the list of matched attribute-value pairs.The resulting attribute-value pair is what is returned to the client.

[0231] To apply a constraint to the list, the directory server iteratesthrough the matched list of attribute-value pairs in order to determine(1) if a given attribute-value pair is in the same CoS scope as therequested attribute-value pair, (2) if the CoS specifier of theattribute-value pair matches the specifier of the corresponding CoSdefinition, if the CoS specifier of the attribute-value pair matches thecorresponding CoS Template. Other constraints that could be appliedinclude whether the attribute-value pair has a priority—i.e., whether itclosely matches a CoS scheme to the entry hierarchically, sorted in apriority order, said priority being determined by the position on thedisk, etc.

[0232] To accomplish this search, advantageously, the CoS Definitionentries, the CoS template entries and the target entries may be readfrom disk to memory so that a fast searching algorithm may be applied inmemory, thereby avoiding disk hits.

Pointer Class of Service

[0233] In the case of Pointer CoS, there is no CoS specifier, i.e., anentry cannot choose between two or more CoS schemes. A pointer CoSidentifies a template entry using only the entry's Template DN. For eachpointer CoS, the definition points to a single template entry (templateDN). A pointer CoS applies to all entries within the scope of thetemplate entry.

[0234] Referring to FIG. 20, which shows a diagrammatic version of apointer CoS in a Directory Information Tree (DIT), at a branch node2000, a Pointer CoS is defined by two entries, the Pointer CoSDefinition Entry 2010 and the Pointer CoS Template Entry 2020. Targetentries 2030 that are within the scope of this pointer CoS are alsoshown. Any target entry within scope of the Pointer CoS definition ofthe branch node 2000 get the value provided by that template, if theyare qualified to get any value. The difference between Classic CoS andPointer CoS is that in the latter, there is no choice of what value atarget entry may get for that CoS scheme. This important differencebetween Classic CoS and Pointer CoS can be appreciated with reference toa DIT depicting Classic CoS as shown in FIG. 21. An example of a pointerCOS is as shown in FIG. 22. In this example, every target entry willinherit the organization's fax number, unless a particular target entryhas its own fax number attribute.

Indirect Class of Service

[0235] An indirect CoS identifies the template entry using the value ofone of the target entry's attributes. In Indirect CoS, template entriesare not defined within the CoS Scheme along with the CoS Definitionentry. A first target entry may indirectly use a second target entry asa template entry and take on the second target entry's attribute-valuepairs. It should be noted, however, that the first target entry's CoSspecifier attribute must contain the DN of an existing and valid secondtarget entry. Thus, in indirect CoS, a DN-valued attribute in the firsttarget entry points to a temporary template entry, which is the secondtarget entry's attribute-value set. The value in the attribute-valuepair, which represents the CoS specifier must be a DN and must point toa valid entry.

[0236] Referring to FIG. 23, an indirect CoS scheme contains a CoSDefinition Entry 2310, which contains a CoS specifier X and a list ofattributes. This CoS specifier X is an attribute such as manager thatpoints to another entry, which could be any entry or another targetentry. This list of attributes could include, for example, a fax numberattribute that is shared by all the persons in a particular groupmanaged by that manager. Three target entries A, B and C are shown inFIG. 23. Of these entries, C could be a manager of the group. Entry Auses indirect CoS to take on the values for certain attributes, such asfax number, from A's manager, i.e., target entry C. Note that in orderfor this to be possible, the value given to the CoS specifier X in A'sentry must be a valid DN, in this case, the DN of the manager entry C.FIG. 24 shows an example of an indirect CoS. In this example, eachperson's entry will inherit “accounting code” from their manager'sentry. When an employee moves to another department, and thereby hismanager changes, accounting codes automatically change to the correctnew value when an employee's manager attribute changes.

Interaction with Stored Attribute Values

[0237] If the CoS logic in a directory server detects that the attributewhose value it is generating is in fact already stored on the targetentry, the default action is to supply the stored value to the clientthat requested the value of the attribute. However, the server'sbehavior can be controlled by means of the cosDefinition entry. ThecosAttribute values allow an additional qualifier appended after theattribute type name. Valid qualifier values include “override”,“default” and “operational”. An absent qualifier means the same as“default”. Override can mean that the server will always return thevalue generated by the CoS logic even when there is a value stored withthe entry. Default can imply that the server will only return agenerated value if there is no corresponding attribute value stored withthe entry. Operational can indicate that the attribute will only bereturned if it is explicitly requested in the search. In addition,operational attributes suitably are not required to pass a schema checkto be returned. Other embodiments can have different methods ofimplementing this feature. The operational qualifier can be combinedwith default or override to produce the required behavior.

[0238] For example,

[0239] dn: cn=messaging_server_cos, cn=cosdefinitions, o=NetscapeRoot

[0240] objectclass: top

[0241] objectclass: cosSuperDefinition

[0242] objectclass: cosClassicDefinition

[0243] cosTemplateDn: cn=LocalConfig, cn=MailServerCOS

[0244] cosSpecifier: mailServiceClass

[0245] cosAttribute: mailboxquota override

[0246] cosAttribute: hassmellyfeet default operational

[0247] cosAttribute: maysendexternalmail default

A Note on Templates

[0248] Since it is possible to create CoS schemes that compete with eachother to provide an attribute value, it is desirable to be able todetermine which would prevail in such a case. For maximum flexibility,it would also be desirable to be able to do this at the template levelsuch that even templates from the same scheme are prioritized. Note thatmultiple template matches in the same scheme is possible because thecosSpecifier can be mutli-valued, and with role-based attributes, (seeSection C. Overview of Roles, supra) this is even quite likely tohappen. To this end, the cosTemplate objectclass has a single allowedattribute: cosPriority.

[0249] The cosPriority attribute represents the global priority of aparticular template as a numeric decimal value. In this priority schemezero is the highest possible priority with the lower prioritiesextending towards infinity. Templates with higher priorities will befavored over and to the exclusion of templates with lower priorities.Templates which do not have a cosPriority attribute are considered tohave the lowest priority possible, or no priority. In the case where twoor more templates are being considered for supply of an attribute value,and they have the same (or no) priority, the result is undefined, butdoes not exclude the possibility that a value will be returned, howeverarbitrarily chosen.

Configuration and Management

[0250] Because all the configuration information and template data isstored as entries in the directory, standard LDAP tools can be used forconfiguration and management. Specialized scripts, command-line toolsand graphical UI could be developed. These would use the LDAP SDK toinspect and change the configuration. Further discussion of such toolsis outside the scope of this document.

Access Control for Class of Service Attributes

[0251] The server controls access to attributes generated by a serviceclass in exactly the same way as regular stored attributes. Accesscontrol rules depending upon the value of attributes within an entrywill behave as expected even when those attribute values are generatedby COS.

Implementation Restrictions

[0252] In some cases, an LDAP search request containing a filter thatreferences an attribute defined by CoS cannot be serviced. The serverwill respond with an “unwilling to perform” message when it is presentedwith such an unsupported request.

E. Implementation and Operation

[0253] Roles can be implemented in a product such as the iPlanetMessaging Server and the iPlanet Directory Server marketed by the SunMicrosystems, Inc. and Netscape Communications Corporation Alliance,based in Santa Clara, Calif. These products allow a user in anorganization to route mail to groups of users. While this is used as anillustration of the principles disclosed, persons of ordinary skill inthe art readily understand that the principles can be practiced in manyother applications, and therefore the disclosure should not be limitedto only those illustrative uses presented herein.

[0254] The Directory Server provides global directory services, i.e., itprovides information to a wide variety of applications. A globaldirectory service solves the n+1 directory problem—whereby informationreplicated in multiple instances of directories could not be managedeasily—by providing a single, centralized repository of directoryinformation that any application can access. A wide variety ofapplications access the directory by way of a communication network.Advantageously, the Directory Server uses LDAP (Lightweight DirectoryAccess Protocol) to give applications access to its global directoryservice.

[0255] The Directory Server can store all of a customer organizationalinformation in a single, network-accessible repository. The followingare illustrations of the kind of information an organization might storein a directory:

[0256] (i) Physical device information, such as data about the printersin the organization (where they reside, whether they are color or blackand white, their manufacturer, date of purchase, and serial number).

[0257] (ii) Public information concerning an employee, such as name,E-mail address, and department.

[0258] (iii) Private information related to an employee, such as salary,government identification numbers, home addresses, phone numbers, andpay grade.

[0259] (iv) Contract or account information, such as the name of theclient, final delivery date, bidding information, contract number, andmilestone due dates.

[0260] The Directory Service could be designed as a general-purposedirectory, which serves the needs of a wide variety of applications andprovides a standard protocol and application programming interfaces(APIs) to access the information it contains.

[0261] The Directory Server, in an embodiment, includes the directoryitself, the server-side software that implements the LDAP protocol, anda graphical user interface that allows end-users to search and modifythe directory. Other LDAP clients are also available, including thedirectory managers in a Console and the Address Book feature in NetscapeCommunicator. In addition, a user can purchase other LDAP clientprograms or write own programs using an LDAP client Software DevelopmentKit (SDK) included by a Directory Server manufacturer.

[0262] Without adding other LDAP client programs, the Directory Servercan provide the foundation for an organization's intranet or extranet. Aserver can be configured to use a directory as a central repository forshared server information such as employee, customer, supplier, andpartner data.

[0263] Directory Server can be used to manage extranetuser-authentication, create role-based access control, set up userpreferences, and centralize user management. In hosted environments,partners, customers, and suppliers can manage their own portions of thedirectory, reducing administrative costs.

[0264] An directory client (or client for short) accesses a directory byinteracting with a Directory server through the LDAP API, which is a setof functions (or classes) that request the server to perform operationsdefined by the LDAP protocol. For example, the server responds to asearch request by searching the directory and returning a list of thematching entries. Netscape Communicator is an example of an LDAP client;Communicator's address book feature enables a user to look up a person'se-mail address in various directories located on LDAP servers—not onlythe user's personal address book but also a corporate-wide directory oran Internet-wide directory such as the one available athttp://www.Four11.com.

Overview of Directory Server Architecture

[0265] A Directory Server includes the following components:

[0266] (a) A front-end responsible for network communications,

[0267] (b) One or more backend plug-ins for database management, and

[0268] (c) A basic directory tree containing server-related data.

[0269] The front-end of Directory Server manages communications withdirectory client programs. The Directory Server may be implemented as adaemon process on UNIX® systems and as a service on Windows-NT®.Multiple client programs can communicate with the server in LDAP format.They can communicate using LDAP over both TCP/IP and SSL/TCP/IP,depending on whether the client negotiates use of Transport LayerSecurity (TLS) for the connection.

[0270] When the communication takes place with transport layer security(TLS), then it is usually encrypted. TLS can be used in conjunction withsecured DNS to provide confirmation to client applications that they arebinding to the correct server. If clients have been issued withcertificates, TLS can be used to confirm that the client has the rightsto access the server. TLS or its predecessor SSL can be used in theDirectory Server to perform security activities such as messageintegrity checks, digital signatures, and mutual authentication betweenservers.

[0271] Multiple clients can bind to the server at the same time over thesame network because the Directory Server is a multi-threadedapplication. As directory services grow to include larger numbers ofentries or larger numbers of clients spread out geographically, theyalso include multiple Directory Servers placed in strategic locationsaround the network.

[0272] In an embodiment, the Directory Server relies on plug-ins. Aplug-in is a way to add functionality to the core server. For example,an LDBM database is a plug-in. Plug-ins can have a state, i.e., they canbe present but disabled. A user can enable any of the plug-ins providedwith Directory Server depending upon the functionality the user wants toadd to server. In addition, custom plug-ins can be written for DirectoryServer.

[0273] Directory data is stored in an LDBM database. Advantageously, theLDBM plug-in is automatically installed with the directory server and isenabled by default. A user can make as many instances of the LDBMdatabase as needed. The LDBM database is the basic unit of storage,performance, replication, and indexing. A user can perform operationssuch as importing, exporting, backing up, restoring, and indexing on thedatabase.

[0274] In one embodiment, Directory Server uses a single database toconfigure a directory tree. This database can manage millions ofentries. In alternative embodiments, the database supports advancedmethods of backing up and restoring data, so that user data is not atrisk. Directory Server can support multiple databases. A user candistribute data across the databases, allowing the server to hold moredata than can be stored in a single database.

[0275] In an embodiment, the Directory Server uses a format such as theLDAP Data Interchange Format (LDIF), which is a standard text-basedformat for describing directory entries. LDIF is defined in RFC 2849 andis available through sources such as the IETF. An LDIF-compliantdirectory has one or more directory entries separated by a blank line.An entry is a group of lines in the LDIF file that contains informationabout an object, such as a person in an organization or a printer on anetwork. Information about the entry is represented in the LDIF file bya set of attributes and their values. Each entry has an optional entryidentifier (ID), a required distinguished name, one or more objectclasses, and one or more attribute definitions. The object class isattribute that specifies the kind of object the entry describes anddefines the set of additional attributes it contains. Each attributedescribes a particular trait of an entry.

[0276] The basic form of a directory entry expressed in the LDIF formatis: dn: <distinguished name> <objectclass> <object class> <objectclass><object class> . . . <attribute type>[;subtype]: <attribute value><attribute type>[;subtype]: <attribute value> . . .

Creating an Organizational Entry

[0277] Directories often have a top-level entry for an organization. Ingeneral, this is the first, root, or topmost entry in a directory. Theorganizational entry often corresponds tot he suffix set of thedirectory. For example, if the directory is defined to use a suffix ofdc=siroe, dc=com, then the organization entry likely will be nameddc=siroe, dc=com. The LDIF specification for an organization entry hasthe form: dn:<distinguished name> objectClass: top objectClass:organization o: <organization name> <list of attributes>

[0278] . . .

[0279] As an example,

[0280] dn:dc=siroe,dc=com

[0281] objectclass:top

[0282] objectclass:organization

[0283] o:Siroe Corporation

[0284] description: Fictional company for example purposes

[0285] telephoneNumber: 555-5555

Specifying Organization Unit Entries

[0286] Organizational unit entries are often used to represent majorbranch points, or subdirectories in a directory tree. They correspond tomajor, reasonably static entities within an enterprise structure, suchas a subtree that contains people, or a subtree that contains groups.However, the organizational unit attribute contained in an entry canalso represent a major organization within an enterprise, such asmarketing, or engineering. There could be more than one organizationalunits, and in a typical directory tree, there usually are more than oneorganizational units. An organizational unit can be specified in theLDIF format as follows. dn:<distinguished name> objectclass: topobjectclass: organizationalUnit ou: <organizational unit name> <list ofattributes> . . .

[0287] As an example, the following is an organizational unit entry inthe LDIF format.

[0288] dn: ou=people, dc=siroe, dc=com

[0289] objectclass: top

[0290] objectclass: organizationalUnit

[0291] ou: people

[0292] description: fictional organizational unit for example purposes

[0293] Further, an entry might be of an object classorganizationalPerson, indicating that the entry represents a personwithin a particular organization. This object class might contain agivenname and telephoneNumber attribute for the entry, giving the nameand phone number of the person within the organization. As an example,let us consider the object class inetOrgPerson, the schema for which isgiven below. TABLE Attributes of an LDAP-based inetOrgPerson ObjectAttributes Attribute Description Cn (Required) Defines the person'scommon name. Sn (Required) Defines the person's surname, or last name.BusinessCategory Identifies the business in which the person isinvolved. CarLicense Identifies the person's car license plate number.DepartmentNumber Identifies the department for which the person works.Description Provides a text description of the person. employeeNumberIdentifies the person's employee number. EmployeeType Identifies theperson's type of employment (for example, full time).FacsimileTelephoneNumber Identifies the person's fax number. GivenNameIdentifies the person's given, or first, name. HomePhone Identifies theperson's home phone number. HomePostalAddress Identifies the person'shome mailing address. Initials Identifies the person's initials.JpegPhoto Contains an image in jpeg format. L Identifies the location inwhich the person resides. LabeledURI Specifies a universal resourcelocator that is relevant to the person. Mail Identifies the person'selectronic mailing address. Manager Distinguished name representing theperson's manager. Mobile Identifies the person's mobile phone number. OuIdentifies the organizational unit to which the person belongs. PagerIdentifies the person's pager number. PhysicalDeliveryOfficeNameIdentifies a location where physical deliveries can be made.PostalAddress Identifies the person's business mailing address.PostalCode Identifies the person's business postal code(such as a UnitedStates zip code). PostOfficeBox Identifies the person's business postoffice box. PreferredDeliveryMethod Identifies the person's preferredmethod of contact or delivery. RoomNumber Identifies the room number inwhich the person is located. Secretary Identifies the person's secretaryor administrator. SeeAlso URL to information relevant to the person. StIdentifies the state or province in which the person resides.StreetAddress Identifies a street address at which the person islocated. Aci Identifies access control information for the person'sentry. TelephoneNumber Identifies the person's telephone number. TitleIdentifies the person's title. Uid Identifies the person's user ID.UserPassword Identifies the password with which the person can bind tothe directory. x500UniqueIdentifier Undefined.

[0294] Directory Server also includes attributes that are read-only andcalculated by the server. These attributes are called operationalattributes. There are also some operational attributes which can be setby the administrator, for access control and other server functions.

[0295] As stated above, entries in a directory are stored in ahierarchical structure in the directory tree. In an LDAP-compliantdirectory, one can query an entry and request all the entries below itin the directory tree. However, with Directory Server, not all entrieswill be returned in response to an LDAP request. The directory tree cancontain hidden entries that don't appear when clients make requests.These entries are of the object class ldapsubentry. For example, entriesused to define roles and CoS are of the ldapsubentry type. To receivethese entries, clients need to search specifically for entries of thisobject class.

[0296] Sometimes, the server is requested to search and retrieve entriesunder a given subtree of the structure. This subtree is called the basedistinguished name, or base DN. For example, if one makes an LDAP searchrequest specifying a base DN of ou=people, dc=siroe,dc=com, then thesearch operation examines only the ou=people subtree in thedc=siroe,dc=com directory tree.

Creating Target Entries

[0297] Target entries can use the inetOrgPerson, organizationalPerson,and personobject classes shown in the tables below. The distinguishedname entry for a user could be of the form:

cn=full name, ou=organization, . . . , o=base organization, c=country

[0298] For example, if a target entry for Billie Holiday is createdwithin the organizational unit Marketing, and the directory's base DN iso=Ace Industry, c=US, then the person's DN is:

cn=Billie Holiday, ou=Marketing, o=Ace Industry, c=US

[0299] It should be noted that this format could be changed to auid-based distinguished name. The values on the user form fields arestored as the following LDAP attributes: User Field Corresponding LDAPattribute Given Name givenName Surname sn Full Name cn User ID uidPassword userPassword E-mail Address email

[0300] Sometimes a user's name can be more accurately represented incharacters of a language other than the default language. In such cases,a preferred language for users can be specified so that their names willdisplay in the characters of the that language, even when the defaultlanguage is English. An example of a record containing textual dataabout a user can be as follows: LDAP field Comments dn: cn=JohnDoe,o=SUN,c=US dn = the distinguished name, the unique key for therecord. objectclass: top objectclass attributes denote the type ofrecord. objectclass: person objectclass: organizationalPerson givenname:John givenname = the user's first name. A user can have multiplegivennames. sn: Doe sn = surname, the user's last name. Typically thereis only one per record. cn: John Doe cn = common name, the name the useris typically known by in the organization. It is traditionally part ofthe dn, and there is only one per record. uid: jdoe uid = a user's id,used for authentication purposes. mail: guest@sun.com A user's e-mailaddress. There can be multiple per record. Telephone: 202-555-1212 Theuser's telephone number. There can be multiple per record. creatorsname:uid=entadmin,o=SUN,c=US The dn of the user who created this record.createtimestamp: 20000225160825Z The time when record was created, inGMT. description: This entry was modified with A note field; can beanything and there the LWLDAP program by jdoe at 05-Mar-00 can bemultiple entries per record. 7:35:22 AM userpassword: The user'spassword; this example is {SHA}NWdeaPS1r3uZXZIFrQ/EOELxZFA stored insecure hash algorithm format, but can be stored in clear-text or MD5hash format. modifytimestamp: 20000313201039Z The time when record waslast modified, in GMT. modifiersname: uid=entadmin,o=SUN,c=US The dn ofthe user who modified this record. title: Sales Representative The titleof the user

[0301] Each record can be thought of as an object. User objects canbelong to groups of unique members (such as organizational units);groups can in turn belong to other groups.

[0302] The dn usually contains at least the user's first and last names(common name, “cn”), the organizational unit (“ou”) the user belongs to,and the base field of the user's organization's hierarchy (known as thedirectory base, consisting of the organization name, “o,” and country,“c”). One could also include a user's id or social security number orsome other field to help provide uniqueness to a given dn. Here's anexample of such a dn:

cn=John Doe+uid=jdoe,ou=ACS,o=SUN,c=US

[0303] If no special attributes are specified in the dn like uid or ou,the dn is assumed to be at the top of the hierarchy.

Searching a Directory

[0304] Most Directory servers provide a publicly accessible searchinterface that a client can interact with. The Directory specificationallows for boolean, wildcard, and case-insensitive searching. TheDirectory search syntax currently is obscure and arcane, so it does takesome time to get used to. A search can have two steps. As a first step,a hierarchy, called the search base, is specified. An example of asearch base is as follows.

Search Base: o=SUN,c=US

[0305] All the searches will start from our search base, which in thiscase is the root of the SUN (Sun Microsystems, Inc.) Directory serverhierarchy. As a second step, a search filter is specified. Some examplesof filters are as follows.

cn=John Doe

sn=Do*

(&(cn=Jo* Doe)(ou=Accounting))

[0306] The first filter will look for a common name (“cn”) matching JohnDoe. The second filter will search the Directory server for all usersthat have a last name (“sn”) with “Do” as the first two letters. It willreturn Doe, Dogbert, and Doughtery, but not Plado. The third filter, anexample of a boolean AND search, will return all users who have a firstname that starts with “Jo” and a last name of Doe that are a part of theorganizational unit (“ou”) Accounting. The boolean Directory serveroperators are & for AND, | for OR, and ! for NOT. Notice that in anembodiment, the operator is placed first inside a group of parentheses.

[0307] The code sample below is a Java programming language method thattakes a search base, a user name, and an attribute to search for, andreturns an array of any matches it finds. public synchronized String[ ]getAttrib(String searchBase, String username, String attribute){ //Returns an array of attributes. String [ ] myAttrib = null; try{ // Setsup the Directory server filter. StringMY_FILTER=“(I(uid=“+username+”)(cn=“+username+”))”; // Sets up to passback only the attribute(s) wanted String[ ] attrNames = { attribute };if (searchBase == null ){ searchBase = MY_SEARCHBASE; } // Performs theactual search. LDAPSearchResults res = Id.search(searchBase,LDAPv2.SCOPE_SUB, MY_FILTER, attrNames, false); /* Loops on resultsuntil finished; will only be one!*/ if (res.hasMoreElements( ) ) {LDAPEntry findEntry = (LDAPEntry)res.nextElement( ); /* Gets theattributes of the entry. */ LDAPAttributeSet findAttrs = findEntry.getAttributeSet( ); Enumeration enumAttrs =findAttrs.getAttributes( ); /* Loops on attributes. */ while (enumAttrs.hasMoreElements( ) ) { LDAPAttribute anAttr =(LDAPAttribute)enumAttrs.nextElement( ); String attrName =anAttr.getName( ); if (attrName.equals(attribute) ) { EnumerationenumVals = anAttr.getStringValues( ); Vector myVector = new Vector( );while (enumVals.hasMoreElements( )){ myVector.addElement((String)enumVals.nextElement( )); } myAttrib = new String[myVector.size( )];try{ // Will speed up stepping through enumVals. for(int i=0;;i++){myAttrib[i] = (String)myVector.elementAt(i); }  }catch(ArrayIndexOutOfBoundsException z) { } } } } } catch (LDAPExceptione) { switch( e.getLDAPResultCode( ) ) { case e.NO_SUCH_OBJECT:System.out.printIn(“The specified user does not exist.”); casee.INVALID_CREDENTIALS: System.out.printIn(“Invalid password for user:”+username); default: System.out.printIn(e.toString( ));  }  }  returnmyAttrib; }

Creating an LDAP application

[0308] An directory client application generally follows these stepswhen interacting with a Directory server:

[0309] 1. initializing a session with a Directory server

[0310] 2. authenticating itself to the Directory server

[0311] 3. performing operations

[0312] 4. closing the connection to the Directory server

Initializing a Session with a Directory Server

[0313] During initialization, as shown in the code below (listing), anumber of variables need to be set for the client environment. Thedefault listening port is 389 if SSL is not used, and 636 if SSL isused. // Set to your Directory server host. project.host =“directory.phoenixgroup.com”; // Set to Directory Server port.project.port = 389; // Set to directory base. project.searchBase =“o=Phoenix Group,c=US” // Set to the distinguished name. project.mgr_dn= “cn=SSJS LDAP,ou=Information Services,o=Phoenix Group,c=US” // Set tothe password for the DN. // May be blank for mgr_dn & mgr_pw ifdirectory allows anonymous searches. project.mgr_pw = “<MGR DNPASSWORD>” // Grab an LDAP connection. var Idap = connect(project.host,parseInt(project.port), project.searchBase, project.mgr_dn,project.mgr_pw); if (Idap == null){ // Connection could not be made.write(“Failed to connect to Directory server. See error log or JavaConsole<br>”);} else{ // Store the connection in the project object. */project.Idap = Idap; redirect(“home.htm”); } In a start page (login.htm)the following lines of code can be included, which checks for theexistence of “project.Idap” and redirects back to this page if needed.if (project.Idap == void(0)){ redirect(“init.htm”); // The redirect atthe end of the code is irrelevant when this // initial page is calledduring application or server startup. }

Authenticating the Client to the Directory Server

[0314] When a client application establishes a connection with aDirectory server, the client application has the option to connect as anauthenticated user or anonymously. To perform certain directoryoperations (such as password checking or changing a record's attribute),the client application must be an authenticated user. In some instancesa client is granted extra rights depending on the group of which it is apart.

[0315] When a client application authenticates itself to a Directoryserver database, the Directory server API expects the call to be in theform of a user's dn and password. Users can't be expected to remembertheir full dn but they can usually provide their user id. Directoryserver-based authentication usually performs a search to retrieve theuser's dn and then make an “authenticate” method call, as shown in thecode sample below. var passwd = request.pwd; var login =authenticate(project.Idap,user,passwd); debug(‘<B>’+user+‘</B>’);debug(‘<B>’+passwd+‘</B>’); debug(‘<B>’+login+‘</B>’); if (login ==true){  client.user = user; // I'm doing this instead of a redirect. write(‘<FORM NAME=  “redir” ACTION=“attrib.htm”METHOD=POST>’); write(‘<INPUT TYPE=  “hidden” NAME=“junk”>’); // Need at least onefield.  write(‘</FORM>’);  }  else{ // a redirect is simulated ‘causethe values are not desired to be passed on the URL line write(‘<FORMNAME= “redir” ACTION=“login.htm”METHOD=POST>’); write(‘<INPUTTYPE=“hidden” NAME=“relogin”VALUE=“YES”>’); write(‘<INPUT TYPE=“hidden”NAME=“badpw” VALUE=“YES”>’); write(‘</FORM>’); }

Performing Directory Operations and Disconnecting from the DirectoryServer

[0316] While most data in a Directory server is in a binary format, mostof a user's interaction with the Directory server in an intermediatedata format called LDAP Data Interchange Format (LDIF). This is an ASCIItext representation meant to foster the ability to transfer LDAP databetween servers such as an LDAP-compliant Directory server and tomanipulate Directory server records with a variety of clients. The codebelow shows how to change a user's password. user = client.user; oldpw =request.oldpw; newpw = request.newpw; newpw2 = request.newpw2; if (newpw!= newpw2){ redirect(“changepw.htm”); } else{ var goodpw =authenticate(project.Idap,user,oldpw); if (goodpw == true){ // Changepassword will also test changeAttrib because // changePW is actually awrapper to that method. var didChange = changePW(project.Idap,user,user,newpw); if (didChange == true){ write(“Password changed foruser:”+user); write(“<br><a href=\“home.htm\”>Login as a differentuser</a>”); } else{ write(“***ERROR*** Password change failed. Checkerror logs.”);} } else{ redirect(“changepw.htm”); } } * * *

[0317] Although the foregoing description includes some embodiments ofthe principles of a new and useful system, one skilled in the art willreadily appreciate that modifications and rearrangements can be made tothose set forth herein without departing from the spirit and scope ofthe disclosure or without undue experimentation. Accordingly, thefollowing Claims should be construed to encompass such modifications andrearrangements.

What is claimed is:
 1. A method of grouping entries in a directoryserver, said directory server configured to contain roles, the methodcomprising the step of: selecting entries that match an LDAP filterwithin a subtree specification.
 2. The method as in claim 1 wherein theLDAP filter is defined to be of arbitrary complexity.
 3. The method asin claim 1, further comprising the step of: defining an LDAP filter. 4.The method of claim 1, further comprising the step of: providing a setof expressions and boolean operations for use to match entries in adirectory search.
 5. The method of claim 4, wherein the expressionscomprise any one or more of operands connected by the operators, equal =where an instance of the attribute exactly matches the value; contains *which is used as a wild card to allow presence check or partial matches;sounds like ˜= which is used in name searches; greater or equal >= whichis used for numerical comparisons; less or equal <= which is used fornumerical comparisons; negation ! which is used to negate anyexpression; and & which is used to combine two expressions; and or |which is used to select from two expressions.


6. A method of determining the membership of entries that match an LDAPfilter within a directory system, the method comprising the steps of:receiving a query from a client computer, said client computerspecifying a filter definition and a subtree specification; applying thefilter definition to entries to determine if the entries possess aparticular role; and matching all entries within the specified subtreewith the defined filter.
 7. The method of claim 6, further comprisingthe step of: returning any matched entries to the client computer. 8.The method of claim 6, wherein the LDAP filter is defined to be ofarbitrary complexity.
 9. The method of claim 6, further comprising thestep of: defining an LDAP filter.
 10. The method of claim 6, furthercomprising the step of: providing a set of expressions and booleanoperations for use to match entries in a directory search.
 11. Themethod of claim 10, wherein the expressions comprise any one or more ofoperands connected by the operators, equal = where an instance of theattribute exactly matches the value; contains * which is used as a wildcard to allow presence check or partial matches; sounds like ˜= which isused in name searches; greater or equal >= which is used for numericalcomparisons; less or equal <= which is used for numerical comparisons;negation ! which is used to negate any expression; and & which is usedto combine two expressions; and or | which is used to select from twoexpressions.


12. An apparatus comprising, a directory server, said directory serverconfigured to contain roles; a component coupled to the directory serverand configured to select entries that match an LDAP filter within asubtree specification.
 13. The apparatus as in claim 12 wherein the LDAPfilter is defined to be of arbitrary complexity.
 14. The apparatus as inclaim 12, further comprising: a component coupled to the directoryserver and configured to define an LDAP filter.
 15. The apparatus ofclaim 12, further comprising: a component coupled to the directoryserver and configured to provide a set of expressions and booleanoperations for use to match entries in a directory search.
 16. Theapparatus of claim 15, wherein the expressions comprise any one or moreof operands connected by the operators, equal = where an instance of theattribute exactly matches the value; contains * which is used as a wildcard to allow presence check or partial matches; sounds like ˜= which isused in name searches; greater or equal >= which is used for numericalcomparisons; less or equal <= which is used for numerical comparisons;negation ! which is used to negate any expression; and & which is usedto combine two expressions; and or | which is used to select from twoexpressions.


17. An apparatus comprising, a directory server, said directory serverconfigured to comprise entries that possess roles; a first componentcoupled to the directory server, said first component configured todetermine the membership of entries that match an LDAP filter within adirectory server, the first component further comprising: a secondcomponent configured to receive a query from a client computer, saidclient computer specifying a filter definition and a subtreespecification; a third component configured to apply the LDAP filterdefinition to entries to determine if the entries possess a particularrole; and a fourth component configured to match all entries within thespecified subtree with the defined filter.
 18. The apparatus of claim17, further comprising: a fifth component coupled to the directoryserver and configured to return any matched entries to the clientcomputer.
 19. The apparatus of claim 17, wherein the LDAP filter isdefined to be of arbitrary complexity.
 20. The apparatus of claim 17,further comprising: a sixth component coupled to the directory serverand configured to define an LDAP filter.
 21. The apparatus of claim 17,further comprising: a seventh component coupled to the directory serverand configured to define a set of expressions and boolean operations foruse to match entries in a directory search.
 22. The apparatus of claim21, wherein the expressions comprise any one or more of operandsconnected by the operators, equal = where an instance of the attributeexactly matches the value; contains * which is used as a wild card toallow presence check or partial matches; sounds like ˜= which is used inname searches; greater or equal >= which is used for numericalcomparisons; less or equal <= which is used for numerical comparisons;negation ! which is used to negate any expression; and & which is usedto combine two expressions; and or | which is used to select from twoexpressions.